Using Touch ID to separate bots from humans in social media

Whenever you’re on a social network, like Facebook or Twitter, you know who your friends and family are. However, there are many accounts that you don’t know personally, which can be bots. How can you tell bot from human? This a general issue beyond just social media. Google supports an approach to this called reCAPTCHA which can require a user doing a task that a human can do better than a bot. However, when posting to a social network, this process would be tedious and lead to lower engagement. Apple’s Touch ID may be able to help.

Apple introduced Touch ID in 2013 to allow users to quickly unlock their phones and download apps without having to re-enter their password. It was extended to all app developers in 2014 so they could store secure credentials that could only be unlocked with a fingerprint.

The proposal is to use Touch ID (and potentially Face ID, which was introduced in 2017) as a way to uniquely confirm a human is behind every social media post. Storing secure credentials would not work because they are known to the user, and hence to a bot developer. Instead, the proposal is to allow an app developer (and hence Twitter and Facebook) the ability to provide a timestamped server-generated message that needs to be encrypted via a hardware key that is only available during a finger press. That encrypted message is then sent back to the app developer’s server, where it is decrypted from a list of public keys based on device model and operating system version. If the decrypted message matches the original server message, then the app developer knows that a genuine human confirmed the operation, and the social media post can be accepted. The whole process would need to occur within a certain amount of time, like 30 seconds, in order to stop malicious users from accumulating many encrypted messages in order to spam the network.

This idea is currently not supported by Touch ID, but would require an upgrade allowing device-specific private keys to be stored on the device and public keys to be made available for app developers to confirm encrypted messages. In order to spur adoption among major social networks, the confirmation mechanism would need to be standardized so other hardware providers can implement it on their own hardware. Initially, this could be an optional feature, allowing accounts with more “Touch ID” confirmed posts to be displayed prominently. In the future, users should be able to display only confirmed posts, to ensure their social media feed is bot-free.